1. Field of the Invention
The invention relates to a technique of managing the bandwidth of data traffic in an Internet Protocol (IP) Virtual Private Network (VPN) so as to provide Quality of Service (QoS) for the VPN, where VPN traffic is communicated preferably over the VPN.
2. Discussion of the Related Art
IP VPNs (hereinafter “VPNs”) are specially configured networks that allow a group of users to communicate only with each other in a secured manner. Generally, VPNs are implemented over unsecured public networks of the wired nature (e.g., cable, DSL, dial-up, etc.) and/or of the wireless nature (e.g., IEEE 802.11 wireless local area networks (LANs), cellular digital packet data (CDPD) networks, etc.). In a VPN, data packets are encrypted and encapsulated in some other packets to provide a more secured data communication. The packet that encapsulates the original packet is referred to herein as the “encapsulating packet,” whereas the original packet is referred to herein as the “encapsulated packet.”
QoS refers to a technique and ability to control certain network requirements such as bandwidth requirements for packet transmission, latency requirements, maximum packet loss, etc. There are a number of different ways to provide QoS to existing TCP/IP-based networks that do not employ VPNs. For instance, Internet Engineering Task Force (IETF), which is a group of individuals who determine new protocols and application requirements, has proposed a differentiated services (DiffServ) framework or an integrated services framework for providing QoS to non-VPNs. Also, the use of an existing TCP rate control mechanism to provide QoS in a non-VPN has been proposed by Packeteer, Inc., Allot Communications, Ltd., or Sitara Networks, Inc.
Among the known QoS methods, one way of providing QoS in a non-VPN is to provide a special field called the Type of Service (ToS) in the header of an IP packet. Generally, an IP packet consists of a header and a body. The body contains data, whereas the header contains information such as source and destination IP addresses, protocol type used in the data, etc. The ToS field in the header of the packet is 3 bits in length. The value of these 3 bits in an IP packet specifies the level of priority this packet should receive in the network. With the use of 3 bit ToS, a total of 8 priority levels can be specified. Once the priority levels are set in the packet (either by the application or by a router/switch/gateway along the path of this packet), all subsequent devices which this packet traverses treat this packet according to the specified priority. For instance, a router which receives two packets, one with priority 1 and the other with priority 6, will forward the higher priority packet before forwarding the lower priority packet. Ultimately, this results in higher bandwidth, and lower delay, loss and jitter characteristics for the packets with higher priorities, thereby ensuring QoS. The IETF DiffServ proposal specifies the use of 6 bits (called DiffServ) bits in the header of an IP packet for the same purpose.
However, such existing QoS methods for non-VPNs simply do not work for VPNs because the header information of encapsulated packets communicated in VPNs is encrypted and the existing QoS methods for non-VPNs require such header information to be in a non-encrypted form (in clear text).
Recently, a proposal has been made by Radguard, Inc. and Allot Communications, Ltd. to provide QoS for VPNs using ToS or DiffServ bits. With VPNS, it is known that the original IP packet is encrypted and encapsulated in another IP packet. This means that the ToS or DiffServ bits in the original IP header are now hidden from any router/switch which is supposed to treat incoming packets based on priority. The Radguard and Allot proposal deals with IP packets constituting an IP layer (Layer 3), and simply removes this short-coming by exposing the ToS/DiffServ bits in the original IP header to the header of the encapsulating IP packet. This way the priority information is available to all devices that receive the packet.
Another proposal for a QoS method applicable to a VPN has been made by an IEEE 802.11e working group. However, the IEEE proposal addresses the QoS for only the wireless link and is concerned with enhancing QoS for media access control (MAC) protocol. Thus, for a packet traversing multiple devices, the IEEE proposal would only work for the wireless side (i.e., the link between the client and the Access Point (AP) and not for the wired side (e.g., the link between the server and the AP). The IEEE proposal is still in the draft stage and at this time consists of two ways to satisfy the different QoS needs of different frames which constitute a MAC layer (Layer 2).
The first way to provide QoS according to the IEEE proposal is using different priority levels of frames. Similar to IP packets, this allows the use of a priority field in the frame header and based on the value in this field, only the Access Point determines which frames receive preferential treatment. The second way to provide QoS according to the IEEE proposal is using a modification to the current channel access mechanism. This modification essentially allows the Access Point to schedule packet transmissions from each client at pre-specified times based on the QoS requirements of each client.
However, there are problems associated with the existing QoS techniques. First, none of the QoS techniques for VPNs above address effectively the bandwidth gap problem between wired and wireless sides. Generally, the maximum bandwidth for switched Ethernet wired networks is typically 100 Mbps, whereas the effective bandwidth for wireless 802.11b networks is only approximately 7 Mbps. But, the existing QoS techniques do not provide effective bandwidth management needed to conduct data transmission over such a tight bandwidth allotment for the wireless side. Secondly, the QoS techniques for the wired side cannot be combined with the QoS techniques for the wireless side to provide an end-to-end solution, because they operate on different layers. For instance, the IEEE proposal operates on the frames which constitute the MAC layer (Layer 2), whereas the Radguard proposal operates on IP packets constituting the IP layer (Layers 3 and 4).
Therefore, there is a need for an improved technique of managing the bandwidth of data traffic for VPNs to provide QoS, which overcomes the above-described problems and limitations of the related art.